Plan for Service Account Transitioning

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Most services run within the context of the Local System account and because of this, they do not need any maintenance when they are migrated to a different domain. Some services, however, run in the context of a user account instead of the Local System account.

Service account transitioning refers to the process of identifying, migrating, and updating services that run in the context of user accounts. This process has three steps. First, start ADMT on a Windows Server 2003–based member server in the target domain, and then run the Service Account Migration Wizard. The Service Account Migration Wizard sends an agent to a computer that you specify in the wizard and identifies all services on the computer that are running in the context of a user account. The wizard only identifies service accounts that are running in the context of a user account and saves the information in the ADMT database; it does not actually migrate the accounts. The next step, which can occur later in the transition process, is to migrate the accounts by using the User Account Migration Wizard when you migrate the other user accounts.

For information about installing and initializing ADMT, see "Install ADMT" later in this chapter.

The Service Account Migration Wizard checks every service on a computer to identify services that run in the context of a user account. It is possible to create a security hole during the migration of service accounts if someone who is not a service administrator enters an account with administrative permissions in the source domain but uses an invalid password on their computer to start the service. The service will not start before the account migration, because the password is not correct, but it will work after migration because ADMT resets the password of the service account and configures all services that are using that service account with the new password.

To eliminate this possible security problem, it is important to include in the Service Account Migration Wizard only those servers that are managed by trusted administrators. Do not use the Service Account Migration Wizard to detect service accounts on computers that are not managed by trusted administrators, such as workstations.

If you do not identify and transition a trusted computer that therefore does not get its service account updated, you will need to manually set the new password created by ADMT. To do this, obtain the password from the Password.txt file, and then manually enter that account and password information for the service on the computer that did not get transitioned.

When the accounts that the Service Account Migration Wizard identifies in the ADMT database as running in the context of a user account are migrated to the target domain, ADMT grants each account the right to log on as a service.

To run the Service Account Migration Wizard

  1. In ADMT, start the Service Account Migration Wizard.

  2. Complete the wizard by using the information in Table 12.3.

    Table 12.3   Using the Service Account Migration Wizard

    Wizard Page Action

    Domain Selection

    In the Source domain box, type or select the NetBIOS or DNS name of the source domain.

    In the Target domain box, type or select the NetBIOS or DNS name of the target domain.

    Update Information

    Click Yes, update the information.

    Service Account Selection

    Click Add.

    In the Select Computers list box, select all servers that have service accounts.

    Click OK,and then click Next.

    Service Account Information

    Select any user accounts that do not need to be marked as service accounts in the ADMT database, and then click Skip/Include to mark the accounts as Skip.

The wizard connects to the selected computers, and then sends an agent to check every service on the remote computers. The Service Account Information page lists the services that are running in the context of a user account and the name of that user account. ADMT notes in its database that these user accounts need to be migrated as service accounts. If you do not want a user account to be migrated as a service account, select the account, and then click Skip/Include to change the status from Include to Skip.

You use Update SCM to update the Service Control Manager with the new information. Unless you have a failure in reaching a computer to update the service, the Update SCM button is not available. If you have a problem updating a service account after the account was identified and migrated, ensure that the computer that you are trying to reach is available, and then restart the Service Account Migration Wizard. In the wizard, click Update SCM to try to update the service. If you ran the Service Account Migration Wizard previously and the Update SCM button is not available, examine the ADMT log files to determine the cause of the problem. After you correct the problem and the agent can connect successfully, the Update SCM button becomes available.